09-29-2018 02:43 AM - edited 03-08-2019 04:16 PM
Hello,
we are running IOS 15.5(3)S6 on a 7600 with RSP 720. We are seeing a strange behavior with ACL and object-groups:
Network object group tmp
host 1.2.3.4
deny icmp object-group tmp any
expected result: ping from any host except 1.2.3.4 should work.
actual result: ping does not work.
It seems that "object-group tmp" equals to "any", because it matches everything.
Of course if I try:
deny icmp h 1.2.3.4 any
ping works except from 1.2.3.4, as expected.
09-29-2018 04:20 AM
Hi,
Please share your configuration. I remember that one day I have faced the same issue then I created two object groups. One for deny and one for forwarding. I am not sure, are you facing the same issue or not? Please share full running configuration so can understand easily.
Regards,
Deepak Kumar
09-29-2018 04:59 AM
Thank you for your reply.
Configuration is very simple:
ip access-list extended tmp
deny icmp object-group tmp any
object-group network tmp
host 1.2.3.4
interface GigabitEthernet6/2
switchport
switchport access vlan 2
switchport mode access
ip access-group tmp in
It seems that instead of matching only the content of the object-group, it matches everything. Really sounds like a bug.
09-29-2018 05:17 AM
Well, it really seems that is a bug:
R1#sh tcam interface GIgabitEthernet6/2 acl in ip
* Global Defaults shared
Entries from Bank 0
deny icmp any (---> this is the problem) any (8610 matches)
permit ip any any
Entries from Bank 1
permit ip any any (369620 matches)
09-29-2018 06:20 PM
Just tried with 15.4(3)S9: same problem.
Is there someone succesfully using object-groups in 7600 with IOS 15.4/15.5?
09-30-2018 03:52 AM - edited 09-30-2018 04:08 AM
Hello
Looks like your specifying the network object-group for that particular host your using a extended acl without negating the implicit deny.
ip access-list extended tmp
deny icmp object-group tmp any
permit ip any any
09-30-2018 05:45 AM
09-30-2018 06:44 AM
Hello
Why are you applying this to an access port and not the svi for that vlan?
09-30-2018 12:22 PM
Hi,
There is no particular reason, it's just for testing the ACL. I also tried with port not belonging to any VLAN with the same result:
Network object group testobj
Description test
host 1.2.3.4
Extended IP access list tmp
10 deny ip object-group testobj any
20 permit ip any any
After applying the ACL inbound to the port:
Actual result:
R1#sh tcam interface GigabitEthernet6/1 acl in ip
* Global Defaults shared
Entries from Bank 0
deny ip any any
Expected result:
R1#sh tcam interface GigabitEthernet6/1 acl in ip
* Global Defaults shared
Entries from Bank 0
deny ip host 1.2.3.4 any
permit ip any any
Thank you
Saverio
09-30-2018 01:50 PM
Hello
It needs to be applied to a routed interface not an access port, so int your case interface vlan 2
09-30-2018 02:28 PM
The same problem is happening on a L3 interface:
interface GigabitEthernet6/1
ip address 2.2.2.2 255.255.255.0
ip access-group tmp in
end
10-10-2018 04:16 AM
I have tried about 6 different IOS version and different chassis. This bug is always present. I can't understand how is it possible that nobody reported this problem, object-group is a very basic feauture...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide